#!/usr/bin/env bash
set -euo pipefail
cat <<'EOF'
Tailscale-first mode:
- public firewall should expose only 80/443
- SSH and Kubernetes API should be reached over Tailscale
- ensure your workstation is authenticated to the same tailnet before bootstrap continues
EOF